back to article Encryption backdoors? It's an ongoing dialogue, say anti-terror bods

It's not every day you walk into a tech conference in San Francisco to find a propaganda video for the Islamic State playing on the screens. Two counterterrorism experts from Washington, DC, were opening the CloudFlare Internet Summit by talking about the use of social media by terrorist groups and what could be done to …

  1. Anonymous Coward
    Anonymous Coward

    Oh dear

    Here we go again. Politicians and feebs who believe that legislation and money will 'make it so'. Scotty, beam me up.

  2. Anonymous Coward
    Anonymous Coward

    both coasts are going to have to learn to trust one another a little more

    The way big government does things that will never happen.

    There are just too many politicians in government that are totally ignorant of anything technical and they will never learn otherwise.

    Maybe there should be a test for technical competence in science, engineering and technology that everyone that would be a politician has to pass before they can offer themselves for election. At least that way we wouldn't get the stupidity that we do today.

    1. Mark 85

      @Ivan 4

      It also goes the other way... who among us trusts Google, MS, etc.? Actually, probably most of us in IT trust neither side.

      BTW, stupidity and politics have gone hand in hand since the first government was set up.

      1. PassiveSmoking

        Re: @Ivan 4

        I tend to favour the side that is basing its stance on mathematical facts (that you can't have secure encryption with more than 2 keys) than on the side that's basing its stance on the fact that they really really really want it and can just pass a law if they don't get their way.

        1. Trigonoceps occipitalis

          Re: @Ivan 4

          @ PassiveSmoking

          Cryptography, as far as I am concerned, is firmly in the realm of Hard Sums. I find the concept of Public Key Cryptography slightly oxymoronic but I trust it even if I can't do the maths. I'm with you on the "more than two keys = insecure" assessment. I do not discount the possibility of a secure back door however unlikely because I have yet to see a claim to have a proof that it cannot be secure, yet alone a peer reviewed proof.

          Probably that is because I don't subscribe to serious mathematical publications, in any case I wouldn't understand the proof. Thus I have to accept the consensus and say "Bugger back doors".

  3. Aitor 1

    The answer

    The answer

    The answer is quite clear: stop using software from the US and the UK as much as possible.

    1. Anonymous Coward
      Stop

      Re: The answer

      If you think that the American and UK software industries are uniquely the problem and that there aren't problems using software solutions from Russia, Germany, India or elsewhere, you are kidding yourself. There are plenty of non-U.S. software vendors out there that are open to attack or data collection, either through relationships with intelligence agencies, relationships with criminal elements or snooping private interests, poor design and coding or poor storage of your data.

      What is needed is open-sourced/easily audited end-to-end encryption. That's the only thing that will protect people's health records, military secrets, the Democratic Party's email servers and the intellectual property that your employer and its suppliers and partners rely on.

      1. streaky

        Re: The answer

        Like, the BND are up to their necks in US-led mass surveillance and Russia is.... Russia. Open source for security tech but it has to be funded by... somebody.. or you get clamav type tooling.

  4. MrTuK

    1+1=3 !!!

    How are NSA/Gov going to force the terrorists to use said backdoored encryption !

    Some of these terrorists are actually quite intelligent and might even write their own encryption then what will said NSA/GOV do ?

    Personally as soon as any said encryption is broken I would use another encryption, so I am sure they would do the same !

    Unless you can force Google and Apple to block any NSA/GOV unauthorized encryption App's which would force them to use Linux as they already know that Win 10 is NSA spyware from day one although I am sure there were some who were stupid enough to use it !

    1. veti Silver badge

      Re: 1+1=3 !!!

      "They can't do it perfectly for everything, therefore they shouldn't do it at all" is one of the sillier arguments trotted out here.

      No security is perfect. That works both ways - no spying is perfect either. The goal isn't to eliminate the threat, no-one thinks that's possible, it's just to continually raise the bar. To make it harder to compete.

      It doesn't have to be impossible to encrypt, it just has to be "hard enough to defeat a high enough proportion of those undesirables who might otherwise do it".

      And how would you know when your encryption was broken?

  5. Doctor Syntax Silver badge

    "[Groups like ISIL] throw out a wide net, and start pulling people in. And when people are pulled in, then they start using secure communications."

    And they will get secure communications to use. If they can't get it from legitimate sources they'll just get it from illegitimate sources. Sorry for the caps but:

    YOU DO NOT STOP PEOPLE WHO ARE INTENT ON BREAKING THE LAW BY FURNISHING THEM WITH MORE LAWS TO BREAK.

    In the meantime, if you cripple legitimate encryption you not only have the baddies still using strong encryption but you have your law-abiding citizens at continual risk.

    You can choose to win one or lose both.

    1. Anonymous Coward
      Anonymous Coward

      Yet, you have to look at it from NSA perspective: they believe if they can easily break into most encrypted communication, they will look at anything they can't break in as "highly suspicious" and worth a closer look, it will "stand out" among the noise.

      What they don't understand is if they backdoor commercial systems, not only criminal but also many honest people will switch to "unbackdoored" encryption unless you make it utterly illegal and prosecute anybody who uses it (which would raise a lot of basic legal issues...), so the "noise" will still be high enough to render the very idea ineffective.

      The main issue is still they have a Manichean mindset - people for them are just evil (and will use only unbackdoored encryption) or good (and will only use backdoored encryption). That's why these agencies may fail spectacularly at identifying real threats even when they are right in front of their nose.

  6. Herby

    Just ask the question...

    Mr. Government, do you want backdoors in YOUR encrypted messages?? How do we tell your messages from other messages??

    So, if there is one "secret key" and it is used for ALL messages, what do you do if it leaks out and your messages are decoded. I don't think that even Hillary would like that!

    1. PNGuinn
      FAIL

      I don't think that even Hillary would like that!

      I don't think that Hillary would even need that.

      There - FIFY.

  7. tfewster
    Facepalm

    "It's an ongoing dialogue", say anti-terror bods...

    ..."because we won't take 'No' (Or 'Impossible', or 'stupid' or 'fuck off') for an answer"

    1. John H Woods Silver badge

      Re: "It's an ongoing dialogue", say anti-terror bods...

      Indeed. There are two type of people who demand safe backdoored encryption: people who don't understand encryption and people who are dishonest. There may be some overlap

  8. NonSSL-Login
    Coat

    Shout about terrorists and paedo's so we can force all companies to use weak encryption to enable us to hoover up all their secrets and pass to american companies for economic espionage.

    Me Cynical? See icon...

    Imagine if Facebook, Twitter, Google etc were created by Arab countries and companies and there were no alternatives. Would they be having this discussion about blocking the US bomb dropping, drone flying terrorists from communicating via their services?

    While I care not for ISIL or whatever they are called, perception of who is causing terror is often in the eye of the beholder. In this case it's the ones in control of a technology who dictate which side wins the information war.

  9. dan1980

    The 'continuing dialogue' . . .

    The problem that 'Washington' and the NSA et al are faced with is that they started this not with an open mind but a fixed goal; not with 'dialogue' but dictation.

    That fixed goal was to get access to encrypted communications and data and, certainly early on, they refused to listen to reason and placed themselves on the moral high-ground pointing down at all those tech companies who were helping the terrorists.

    That rhetoric just hasn't worked because it relied on those same tech companies either voluntarily weakening their encryption or magically squaring the circle.

    Now, they are forced to 'come to the table' and have a 'dialogue' and so forth but the core divide remains: you can have strong encryption or you can have crackable encryption. You can't have both because strong encryption is, by definition, encryption designed to resist being cracked.

    This 'continuing dialogue' won't change that simple fact so I can't see how it will make any progress. In the end, the two options remain: the NSA et al give up and admit that it is impossible to achieve their aims while maintaining acceptably strong encryption; or, they come out and say that they want encrpyption weakened and the government legislates accordingly. (Logistics and actual implementation TBD.)

    The first option is an unbearable loss of face for these people - multiplied due to their bullying stance - and the second option involves them admitting that they simply don't value the things they profess to value and are willing to put everyone's secured communications at risk.

    You can't force something to work just by legislating that it must.

  10. Anonymous Coward
    Facepalm

    What could be done to counteract terrorist groups

    "Two counterterrorism experts from Washington, DC, were opening the CloudFlare Internet Summit by talking about the use of social media by terrorist groups and what could be done to counteract them."

    First off, don't arm and train local militias to overthrow Americas current evil Arab President Bashar al-Assad. The same militias who instead joined up with ex-Iraqi military to attack their erstwhile US allies. The fallout of which being the refugee/migrant crisis in Europe. The fallout of which lead to the Brexit vote. A further fallout being the spooks wanting to further increase their surveillance of us, purely to protect us all from the terr'ists.

    1. streaky

      Re: What could be done to counteract terrorist groups

      The fallout of which lead to the Brexit vote

      This is amusing and massively untrue. Nobody voted for Brexit because of Syrian refugees. They may have voted for Brexit due to the EU being paralysed in the face of them but those numbers are low. People voted for Brexit because the EU is the EU and nothing more need be said.

      1. Paul Stimpson

        Re: What could be done to counteract terrorist groups

        People did vote like that. My mum voted leave because she was convinced it would stop Syrian refugees coming to the UK stowed away in trucks. No amounts of facts or logic would convince her that what was in the Daily Mail was manifestly untrue.

        1. streaky

          Re: What could be done to counteract terrorist groups

          My mum voted leave because she was convinced it would stop Syrian refugees coming to the UK stowed away in trucks

          Well then she's an outlier. There's a problem with the EU that they were (and continue to be) paralysed in the face of them: which is something we all should be embarrassed about and it's true that if the EU was competent it'd probably have had an effect of Syrians trying to cross the channel but I don't buy into a direct relationship.

          Farage also missed this key point.

    2. Anonymous Coward
      Anonymous Coward

      Re: What could be done to counteract terrorist groups

      The refugee crisis began far earlier - it's a decade old "emergency" - Syrians were just an highly visible part for a while. Even the Cameron&Sarkozy-led fall of Gaddafi is not the origin, it just made Libya freer to organize transport, but it happened before as well, and Gaddafi routinely used that to blackmail countries like Italy. Most migrants are from Africa, but there are many also from countries Bangladesh, Pakistan, and South America - which are not "refugees" at all.

      IMHO, more than wars it was the availability of cheap communication media to have increased migration. Those who migrated may easily contact their relative and friends, and increase their will to migrate as well, and also made organizing travels easier - including payments.

  11. MrDamage Silver badge

    Ongoing Dialogue

    Sticking your fingers in your ears and going "LALALALALALALALALALALALALA" is not ongoing dialogue.

    Industry experts, technicians, sysadmins, mathematicians, physicists and other learned folk have repeatedly told you that IT IS NOT POSSIBLE to create secure back doors.

    Remember how the TSA were the only ones who were supposed to have the master keys to the TSA-approved luggage locks? And what happened with that?

    How about Microsoft's "Secure Boot"? What happened to that?

    Even if everyone involved in the whole backdoor shenanigans somehow manage to keep schtum and not leak the details of the backdoor, just remember one thing.

    Whatever you can make, I (or anyone with sufficient time, curiosity and skill) can reverse engineer.

  12. Paul Stimpson

    "It's not going to be resolved with this administration ... The American people will have to weigh in ... The problem is big and broad..."

    In other words... "We're going to keep priming the press with news stories on how terrible tech companies are for 'helping terrorists' until the average member of the public believes it and they shout down the experts so the laws we want get passed."

    1. Lyndon Hills 1

      "The American people will have to weigh in ... The problem is big and broad..."

      just like many Americans, as it happens.

  13. Christian Berger

    Well we need to be realistic

    Organisations can be forced into doing anything by the use of National Security Letters. So having a system that relies on an organisation acting "correctly" is not secure. This obviously includes updates being pushed to you, as well as any non-FOSS and cloud services.

    You cannot easily protect data against physical access. To encrypt data you need a secret which must not be stored on the device itself. A binary PIN is easy to brute-force. Hardware claiming to protect you from brute-forcing can be emulated or simply manipulated easily with hardware like a focussed ion beam microscope.

    So what can you do to regain your right to uncompromised data processing:

    1. Don't store data on mobile devices without protecting them with a strong passphrase.

    2. Don't store data on computers you do not own. Ideally have all the computers you store data on in your own flat.

    3. Use systems that are as simple as possible so you have a chance of understanding them and understanding updates. Try to avoid systems with large organisations behind them, use systems that are developed by loose clusters of people. That way in case a National Security Letter arrives only individual people will be informed and those can simply drop out or their code can be refused by the others.

    4. Avoid systems that are completely insecure. Most "smart"-phones today have their GSM baseband sitting on your system bus allowing it to access all your RAM... considering that GSM baseband chips run closed source, never audited and highly complex code, that's just a security disaster waiting to happen.

    5. Use tamper evident designs when you cannot prevent tampering. For example if you design hardware allow it to be embedded into transparent plastic, perhaps with some glitter around. That way you can avoid the firmware to be updated against your will, or the hardware being manipulated.

  14. Adam 1

    a few quick questions off the bat

    Regarding the backdoor key. I'm going out on a limb here and assuming that we're restricting it to "the good guys".

    Who are the good guys? NSA? Five Eyes? EU? The Philippines? Turkey? Saudi? Russia? China? North Korea? Seriously, who are you going to trust this to?

    Have we developed a branch of mathematics that only works when one of the said good guys is doing it?

    On what occasions will this backdoor key be utilised? Terrorism? Major fraud? Dude of colour walking down the street (that seems to be a capital offence in some parts of the land of the "free")? Murder? Kidnap? Tax avoidance? DUI? Didn't pick up your dog's turd? Where is the line?

    I think protecting the key is not a problem. It's not like the US ever had nuclear secrets stolen by the Russians when they were first trying to develop them? It's not like the organisation responsible for security clearances for government employees was hacked leaking details of 10s of millions of Americans and journalists who had applied for them. Pretty sure nothing could go wrong with that escrow.

  15. Uberseehandel

    From time to time I have had to work with what US embassies euphemistically call "Legal Attachés", or the oddball occupants of corner offices in large international consulting practices. Without exception, none of these people struck me as intelligent, interesting, sophisticated, stylish or educated. It never occurred to me to socialise with any of them. Yet these are the selfsame people who are demanding back doors in encryption tools. . . . go figure oops, they don't do "math".

    Absolute planks.

  16. Anonymous Coward
    Anonymous Coward

    So they've been dancing around the magic word again ..

    So let me throw that in the mix again.

    I get that law enforcement needs the tools to do their work, but mass surveillance is not such a tool - intercepts have to be done with precision or we'll have another disaster where retrospectively it's discovered that they had the info all along, their mass collection just happened to pile a heck of a lot of hay on those oh so important needles. But transparency in the use of these tools is worth ABSOLUTELY NOTHING without (drum roll) ..

    *** ACCOUNTABILITY *** (tadaaaaam!)

    I do not think that law enforcement and agencies should be granted even a *shred* more capabilities before the accountability issue is sorted. If I see GCHQ walking away from flat out breaking the law by lawmakers changing the law afterwards, if I see US cops walking away from what in any definition is called murder, if I see the CIA getting away with spying on the very people that are supposed to regulate them and "accidentally" deleting or "losing" crucial evidence - all of that feeds the (by now well justified) mistrust the public has of law enforcement and politicians.

    I get that some things have to remain confidential, but don't ask me to trust anyone when I see high ranking people escape what should be coming to them. Trust requires honesty, not bullshit, and practically all opportunities to regain that trust have so far been squandered. Fix accountability first, and then we'll talk about powers, NOT the other way around. Otherwise, please stop using words like "law abiding" and "democracy" and just admit you want a police state. Saves time, too.

    Amen.

  17. Destroy All Monsters Silver badge
    Windows

    Chutzpah. Chutzpazh everywhere!

    Left to their own devices for a few minutes, both Easterly and her co-presenter John Mulligan, deputy director of the National Counterterrorism Center, start devising how Silicon Valley can help in their fight against groups like ISIL and Al-Qaeda. "We're trying to get the broader ecosystem to reach young people, point out the hypocrisy of the so-called Caliphate"

    It would be nice to start looking at oneself before finding "hypocrisy" in others.

    The mental and moral corruption, where anything and everything (in particular, wholesale destruction and multi-million ultrakill) can be finagled into a "good thing" sold via trigger words as long as someone is making money on the side, someone's political fantasies are being advanced or Wolf Blitzer types can appear on TV disgusts me. I imagine recruiters of the radical sort can easily exploit the self-contradicting discombobulation of the western self-selecting "elites" to convince interviewees to check out what ISIS can offer.

    In this case:

    1) Al-Qaeda #1: Currently being helped out in taking over large swathes of Yemen by a frankly evil coalition of the US and Saudi Arabia and where attacking the civilian population has gone to levels where even the UN is emitting farty sounds. Western "decision"-makers should be dragged before war crimes tribunals, again (this must be about the 8th time this century alone). Why is this happening? Well, apparently someone from Iran was at one time seen in Yemen possibly buying shoes, leading to demands by Saudi Arabia to help out against "terrorism", which is always a good reason. Did someome say "28 pages"?

    2) Al-Qaeda #2: A potential and likely current ally (under various labels) for meddling in Syria because they want to regime-change the local regime and help out in the fight against ISIS, who are a product of western meddiling in Syria and Iraq, CIA-delivered armements and Saudi-Arabia-delivered doctrine and support. Regime-changing Syria is needed because Syria is part of something called "the Shia crescent" which is apparently scary to Israel and Saudi Arabia, two good allies which we don't want to disappoint. (Israel is now getting 38 billion USD because the US didn't help out enough against scary Iran, which demands adequate compensation be provided, that's definitely not disappointing).

    3) ISIS is "not entirely an enemy" of Turkey, a NATO member (these are the US anti-soviet forces in Europe, for those who didn't live through the Cold War, they have nothing to do with Afghanistan or Georgia or even Russia. Oh, wait...). Geniuses in Turkey's byzantine regime apparently think using ISIS as a trump card to get at black market oil and fight against the Kurds and the Syrian government is a good idea. This will evidently lead to blowback of epic proportions because ISIS has no friends and WWII Germans are cultured connaisseurs in comparison. Amazingly the only one who seems to be not ok with this is Russia. Who are then getting scolded by the the US. Who are bombing in Syria. And haven't even been invited to that particular party. WTF!

  18. Pascal Monett Silver badge
    Flame

    "secure comms are the point at which people move from curious innocents to national security risks"

    False argument. The US Constitution, if it were still respected, is that point.

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

    This Amendment does not care if unreasonable searches are conducted via electronic surveillance or by goose-stepping through the house. Neither are permitted. The Constitution says you need a warrant to invade a suspect's privacy, period.

    Why this point is not driven home with a bat sledgehammer is beyond me.

    1. Anonymous Coward
      Anonymous Coward

      Re: "secure comms" (etc)

      This Amendment does not care if unreasonable searches are conducted via electronic surveillance or by goose-stepping through the house

      Ah, delightfully appropriate image. It reminds me of a comment that The Guardian slipped in somewhere, clearly well below the radar for most readers:

      "On the Dr Oz Show, Trump said that when he looks in the mirror he does not see a 70-year-old man. “I would say I see a person that’s 35 years old,” Trump said.

      The campaign did not release any ophthalmic results."

      :)

  19. Rich 11

    Donald Trump... well, who knows?

    "I'm gonna build encryption and it's gonna be great. I'm very smart and I know how to do this, those people don't, those mathematicians who only deal in numbers, in ivory tower plush offices. I know numbers. Dollars, other numbers. I got a plan to fix this, to stop the terrorist Muslims. I'm not telling the generals because they know nothing, the FBI knows nothing. My encryption will do everything needed to make America great again."

    The crowd cheers...

    1. kmac499

      Re: Donald Trump... well, who knows?

      He's probably invested in the Chinese Quantum satellite experiment..

    2. You aint sin me, roit

      Re: Donald Trump... well, who knows?

      "We're gonna build a wall. A firewall. And the hackers will pay for it. Yes they will, yes they will."

  20. DerekCurrie
    Stop

    Encryption is here. It's free. It's unbreakable. What dialogue? With the deliberately DEAF?

    References:

    • The Fourth Amendment to the US Constitution:

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

    • GPGSuite: https://gpgtools.org

    "Everything you need to get started with secure communication and encrypting files in one simple package.... Use GPG Suite to encrypt, decrypt, sign and verify files or messages. Manage your GPG Keychain with a few simple clicks and experience the full power of GPG easier than ever before."

    • Electronic Frontier Foundation: https://www.eff.org/mention/why-fbi-director-wrong-about-encryption

    Why The FBI Director Is Wrong About Encryption

    EFF Response to FBI Director Comey's Speech on Encryption

    "The FBI should not be in the business of trying to convince companies to offer less security to their customers. It should be doing just the opposite. But that's what Comey is proposing—undoing a clear legal protection we fought hard for in the 1990s. The law specifically ensures that a company is not required to essentially become an agent of the FBI rather than serving your security and privacy interests. Congress rightly decided that companies (and free and open source projects and anyone else building our tools) should be allowed to provide us with the tools to lock our digital information up just as strongly as we can lock up our physical goods. That's what Comey wants to undo...."

    Listen please.

  21. Anonymous Coward
    Anonymous Coward

    On the topic of encryption, I was actually thinking about RIPA the other day and I had a very nasty (read: fucking terrifying) thought along these lines:

    * Someone falsely accuses me of being in possession of child pornography

    * The Gestapo - for lack of a better word - turn up and seize my equipment, as per SOP

    * Before cloning all the equipment as per SOP, one officer told by the department, boots up my computer and plants a VeraCrypt file (let's say CP.hc for this example) that they've made with a 64 character password that only they know with a faked timestamp of a few months back

    * They then clone my stuff, "investigate" and demand I hand over a password for an encrypted file I never created to begin with

    * I cannot comply

    * Go directly to jail, do not pass go, do not collect £200

    * Repeat in five years

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like